[TYPO3-core] RFC #12990 : referrer in felogin form is not encoded correctly
Helmut Hummel
helmut at typo3.org
Sun May 30 22:28:05 CEST 2010
Hi Steffen,
On 30.05.10 21:43, Steffen Kamper wrote:
>>>
>>> Steffen K: I think there was a recent RFC (two months ago or so) where
>>> rawurlencode() was introduced. Any reasons why we used "rawurlencode()"
>>> and not HSC?
>
> the reason is/was simple: referrer may contain urls with params like ?
> and &.
Well, yes of couse, but so what?
> If this is used in url as single parameter, rawurlencoded is needed.
> I don't see that HSC is correct here.
I don't get it, sorry.
redirect_url is (imho correctly) passed through htmlspecialchars, but
for the referer you state rawurlencode is correct? Both are values for a
hidden field btw.
See attached small php file that demonstrates, that rawurlencode is
wrong because then you get the encoded url in the POST value, which is
clearly not what you want.
Do I miss something?
Regards Helmut
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100530/0e01772d/attachment.htm>
More information about the TYPO3-team-core
mailing list